REMARKS 



In the Official Action mailed on 17 October 2006, the Examiner reviewed 
claims 1-21. Claims 1-3, 5-10, 12-17, and 19-21 were rejected under 35 U.S.C. 
§ 103(a) as being anticipated by ASP Alliance (Introduction to Validating User 
Input in Web Forms, December 29, 2003, hereinafter "ASP"), in view of PBDR 
CSQL String Validation", Jime 24 2003 hereinafter "PBDR"). Claims 4, 1 1, and 
18 were rejected under 35 U.S.C. § 103(a) as being unpatentable over ASP, in 
view of PDBR, and further in view of The PHP Group (Error Handling and 
Logging Functions, November 27, 2003, hereinafter "PHP") 

Rejections under 35 U,S,C, S103(a) 

Independent claims 1, 8, and 15 were rejected as being anticipated by ASP 
in view of PBDR. Applicant respectfiiUy points out that ASP teaches using 
validation controls to validate user inputs received via web forms (see ASP, 
page 1, fourth paragraph). Furthermore, ASP teaches that there are different kinds 
of validation. However, ASP does not teach using signatures to detect structured 
query language (SQL) injection (see ASP, page 1, second paragraph). Moreover, 
ASP is limited to web forms (see ASP, page 1, first paragraph). 

In contrast, the present invention teaches parsing an SQL query at a 
database to determine if the signature exists in a database of valid query signatures 
(see paragraph [0029], and see paragraphs [0033]-[0034] of the instant 
application). Note that the present invention teaches validating the SQL query at 
the database and therefore, unlike ASP, is not limited to web-applications (see 
paragraph [0034] and FIG. 4 of the instant application). Furthermore, the present 
invention teaches a method geared specifically towards preventing SQL injection 
attacks, which is in contrast to ASP, which teaches a method for initiating 
validation code in general, but does not teach a method for stopping SQL 
injection. 
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Examiner avers that PBDR teaches query signatures. Applicant 
respectfully disagrees. PBDR teaches validating a string to identify invalid 
characters. This is different from creating and validating a signature, which may 
consist entirely of valid characters, but may be structured in such a manner as to 
enable a malicious user to perpetrate a cyber attack on the database. For example, 
suppose that the query: 

SELECT prize, color FROM inventory WHERE ProdID =5 OR 1=1 

is invalid because of the "OR 1=1" clause. PBDR would be unable to identify this 
query as invalid because it does not contain any invalid characters. In contrast, 
the present invention would detect the query as invalid because the structure is 
invalid. Therefore, the present invention would prevent the database from 
executing the query. 

Accordingly, applicant has amended independent claims 1, 8, and 15 to 
clarify that the present invention parses the query at the database. These 
amendments find support in paragraphs [0029] and [0033]-[0034], and in FIG. 4 
of the instant application. 

Hence, Applicant respectfully submits that independent claims 1, 8, and 15 
as presently amended are in condition for allowance. Applicant also submits that 
claims 2-7, which depend upon claim 1, claims 9-14, which depend upon claim 8, 
and claims 16-21, which depend upon claim 15, are for the same reasons in 
condition for allowance and for reasons of the unique combinations recited in 
such claims. 
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CONCLUSION 
It is submitted that the present appUcation is presently in form for 
allowance. Such action is respectfully requested. 



Respectfully submitted. 
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